Connect with us

CyberSecurity

The Ghost Phishing Wave That Makes Traditional Email Security Blink

Published

on

ghost phishing

The Invisible Threat That Activates Inside Your Browser

A fresh wave of attacks is quietly dismantling the assumptions behind most corporate email defenses. Dubbed “ghost phishing,” the technique comes from a campaign security researchers are tracking as EvilTokens — and it’s already hitting businesses across the US and Europe.

Here’s what makes it different: the malicious page doesn’t exist when the email lands. It doesn’t appear when the URL scanner checks it. It only springs to life — fully formed and dangerous — after it decrypts inside the victim’s browser. By then, the damage is often underway.

For CISOs and security teams, this isn’t just another phishing variant. It’s a direct attack on the core assumption that scanning a link at the time of delivery is enough.

How EvilTokens Turns a Blind Spot Into a Breach

The EvilTokens campaign works by embedding a URL that points to a seemingly harmless page. Standard email security tools — the kind that inspect links in real time — see nothing suspicious. The page is blank, or returns a benign status code. It passes every check.

But that URL contains an encrypted payload. When the recipient clicks it, the page decrypts inside the browser using client-side JavaScript. Suddenly, a convincing login page for Microsoft 365 appears. The victim, believing they’ve hit a legitimate authentication screen, enters their credentials. The attackers now have access to email, files, and whatever else sits behind that account.

This is not a theoretical flaw. Researchers have documented active compromises tied to the campaign, with attackers moving quickly from credential theft to data exfiltration and lateral movement inside corporate networks.

Why Traditional Email Security Misses the Mark

Most email security platforms rely on a handful of techniques: reputation analysis, URL sandboxing, and machine learning models trained on known malicious patterns. They work well against conventional phishing — the kind where the malicious page is already live when the link is checked.

Ghost phishing breaks that model entirely.

Because the malicious content is encrypted and only rendered client-side, there’s nothing for the scanner to find. No malicious JavaScript. No fake login form. No phishing indicators. The page is a ghost — invisible until the moment it needs to be seen by the victim, not the security tool.

This approach also evades time-of-click inspection, a more advanced protection that re-checks URLs when the user clicks. If the page still hasn’t decrypted at that moment, it passes again. The attack only reveals itself milliseconds later, inside the browser’s rendering engine.

What This Means for Microsoft 365 Defenders

The campaign specifically targets Microsoft 365 credentials, making it a direct threat to the thousands of organizations that rely on the platform for email, collaboration, and cloud storage. Once an attacker has a valid session token or password, they can access Microsoft 365 security settings, reset multi-factor authentication, and exfiltrate data without triggering alarms.

Security teams need to ask a hard question: if your email gateway can’t see the attack, what is your second line of defense?

Practical Defenses Against Ghost Phishing

There is no single magic bullet for ghost phishing, but a layered approach can significantly reduce risk.

  • Browser-level isolation: Technologies like remote browser isolation execute all web content in a sandboxed environment. Even if a page decrypts maliciously, it never touches the user’s actual browser or network.
  • Behavioral analytics for email: Look for anomalies in sender behavior, reply patterns, and email routing — not just link reputation. The EvilTokens campaign often uses compromised legitimate accounts to send the phishing emails.
  • Client-side JavaScript monitoring: Some endpoint detection tools can flag unexpected JavaScript decryption or DOM manipulation, even if the initial URL was clean.
  • User reporting and rapid response: Since no filter catches every ghost phish, a strong reporting culture and automated incident response workflow are critical. Every second counts when credentials are being harvested.

These defenses don’t replace traditional email security — they supplement it. The goal is to catch what the scanners miss, and to limit damage when a user does fall for the lure.

The Bigger Picture: A New Category of Email Attack

Ghost phishing represents a structural shift in how attackers think about evasion. Instead of trying to hide from scanners through obfuscation or domain rotation — tactics that security vendors have learned to counter — they simply refuse to show the malicious content until the scanner has already moved on.

This is harder to build than a typical phishing kit. It requires careful encryption logic, reliable decryption in the browser, and a delivery chain that avoids raising suspicion. The fact that EvilTokens is already operational suggests that attackers are investing in sophistication, not just volume.

For security leaders, the takeaway is uncomfortable but clear: the email security stack that worked five years ago is no longer sufficient. The ghosts are already inside the machine. The question is whether your defenses can see them.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

Fresh SharePoint Vulnerability Exploited Within Days of Disclosure – CISA Adds to KEV Catalog

Published

on

SharePoint vulnerability exploited

Attackers Waste No Time Exploiting Critical SharePoint Flaw

Threat actors have already started exploiting a freshly patched, critical-severity remote code execution (RCE) vulnerability in Microsoft SharePoint, prompting urgent action from the US cybersecurity agency CISA. The flaw, tracked as CVE-2026-58644, carries a CVSS score of 9.8 and was fixed as part of Microsoft’s July 2026 Patch Tuesday updates.

Microsoft describes the issue as a deserialization of untrusted data vulnerability. In a network-based attack, an attacker authenticated as at least a Site Owner could write arbitrary code to inject and execute code remotely on the SharePoint Server.

CISA Adds SharePoint Vulnerability to KEV Catalog

On Thursday, just two days after Microsoft warned about the risk, CISA added CVE-2026-58644 to its Known Exploited Vulnerabilities (KEV) catalog. This move triggers a mandatory three-day patching deadline for all US federal agencies under Binding Operational Directive (BOD) 26-04.

Microsoft had not initially flagged the flaw as exploited. However, the company later updated its advisory to confirm that exploitation was detected in the wild and revised the CVSS score accordingly.

Other SharePoint Bugs and Fortinet Flaws Also Under Fire

The July 2026 Patch Tuesday release also addressed several other SharePoint defects. Among them was CVE-2026-56164, which Microsoft had previously marked as exploited as a zero-day. Another critical weakness, CVE-2026-55040, is a security bypass that could allow attackers to disclose files and modify data.

Alongside the SharePoint vulnerability, CISA added two OS command injection flaws in Fortinet FortiSandbox to the KEV list: CVE-2026-25089 and CVE-2026-39808. Both were patched in June and April, respectively. These bugs allow attackers to execute arbitrary code or commands on vulnerable appliances. Exploit intelligence company Defused flagged both as exploited in the wild in mid-June.

Federal Agencies on the Clock

Under BOD 26-04, federal agencies are required to patch all three exploited vulnerabilities within three days. The directive aims to reduce the attack surface of government networks by mandating rapid remediation of known exploited flaws.

What This Means for Enterprise Security Teams

The speed of exploitation — within days of disclosure — underscores a troubling trend. Attackers are increasingly scanning for and weaponizing newly patched vulnerabilities before many organizations can apply updates. For security teams, this means the window for patching critical flaws is shrinking.

Enterprises that use SharePoint Online may be less at risk if Microsoft applies patches automatically. However, organizations running on-premises SharePoint Server instances should prioritize testing and deploying the July 2026 security updates immediately.

Broader Context: A Busy Patch Cycle

Microsoft’s July 2026 Patch Tuesday was unusually heavy, addressing a record number of vulnerabilities. The company patched 622 flaws, including two exploited zero-days. The SharePoint RCE bug was one of several critical issues that demanded immediate attention.

Beyond SharePoint and Fortinet, other vendors also pushed critical fixes. Splunk and Zoom patched critical vulnerabilities in their products, while F5 addressed multiple flaws in NGINX and BIG-IP. The pace of disclosures and exploits shows no signs of slowing.

Recommendations for CISOs and IT Admins

  • Patch immediately: Apply the July 2026 SharePoint security update across all on-premises servers. Treat CVE-2026-58644 as an active threat.
  • Check FortiSandbox appliances: Ensure that firmware updates for CVE-2026-25089 and CVE-2026-39808 are installed. These flaws are already being exploited.
  • Monitor CISA’s KEV catalog: Bookmark the list and integrate it into your vulnerability management process. BOD 26-04 may not apply to your organization, but the catalog is a reliable indicator of active threats.
  • Review access controls: The SharePoint flaw requires Site Owner-level authentication. Review who holds such privileges and consider tightening them where possible.

As the gap between disclosure and exploitation narrows, proactive patching is no longer just best practice — it’s survival. The attackers are watching the same Patch Tuesday announcements you are. The difference is they act faster.

Continue Reading

CyberSecurity

Signed Microsoft Driver Weaponized: ‘GodDamn’ Ransomware Unleashes BYOVD Attacks on US Firms

Published

on

GodDamn ransomware BYOVD

A Signed Driver Turns Into a Weapon

A new ransomware strain dubbed GodDamn is making headlines for a particularly nasty trick: it leverages a Microsoft-signed kernel driver to disable endpoint security software before deploying its payload. The technique, known as Bring Your Own Vulnerable Driver (BYOVD), isn’t new—but the use of a legitimately signed driver makes it far harder to detect.

Security researchers at Trend Micro first spotted the campaign in late February 2025. The attackers are zeroing in on US-based organizations, including manufacturing firms, healthcare providers, and logistics companies. The goal? Disable defenses, steal data, and demand ransoms in cryptocurrency.

How BYOVD Turns a Signed Driver Into a Liability

BYOVD attacks work by exploiting a legitimate, signed kernel driver that contains a known vulnerability. In this case, the attackers use a driver signed by Microsoft that has a flaw allowing arbitrary code execution in kernel mode. Once loaded, the driver grants the ransomware the highest level of system access—ring 0—which lets it kill antivirus processes, delete backup files, and disable monitoring tools without triggering alerts.

The signed driver bypasses many security checks because the operating system trusts it. The attackers don’t need to exploit a zero-day; they just repurpose a driver that Microsoft already approved. This is the core of the BYOVD threat: the very mechanism meant to ensure trust becomes the attack vector.

Why US Companies Are in the Crosshairs

Trend Micro’s telemetry shows that GodDamn ransomware has hit at least 12 US organizations in the past month. The attackers appear to prioritize firms with weak endpoint detection and response (EDR) deployments—often smaller manufacturers or mid-sized healthcare groups that can’t afford layered security. Ransom demands range from $50,000 to $500,000, with payments directed to Bitcoin wallets.

The ransomware doesn’t just encrypt files; it exfiltrates data first. If the victim doesn’t pay, the attackers threaten to leak sensitive information on dark web forums. This double-extortion tactic has become standard in the ransomware ecosystem, but the BYOVD component gives GodDamn an edge: it can disable even the most aggressive EDR tools before they react.

The Technical Breakdown: What Happens Inside

When GodDamn infects a system, it drops a legitimate signed driver (often a known utility like aswArPot.sys or a similar driver from a security vendor) along with a loader. The loader calls the Windows service control manager to load the driver, which then communicates with the kernel. From there, the ransomware enumerates running processes and terminates anything related to security software—including antivirus engines, firewalls, and backup agents.

After clearing the defenses, GodDamn downloads its encryption module from a remote server. It uses a hybrid encryption scheme: AES-256 for file encryption and RSA-2048 for key protection. The ransomware targets over 400 file extensions, including databases, documents, and virtual machine images. It also deletes Volume Shadow Copies to prevent recovery without the decryption key.

Microsoft’s Response: A Patch and a Warning

Microsoft has since revoked the certificate used to sign the vulnerable driver and pushed a Windows Defender update that blocks the specific driver hash. The company also updated its Driver Blocklist policy to prevent the driver from loading on fully patched systems. However, the broader issue remains: any signed driver with a known vulnerability can be weaponized.

Security experts at Mandiant have urged organizations to implement driver blocklist policies proactively. They recommend using tools like Microsoft’s Driver Blocklist Policy or third-party solutions that monitor for unauthorized kernel driver loads. The key is to treat kernel-level access as a critical threat surface—even if the driver comes with a Microsoft stamp of approval.

Defending Against BYOVD Ransomware

Protecting against attacks like GodDamn requires a multi-layered approach. Here are the most effective steps security teams can take right now:

  • Enable driver blocklisting: Use Microsoft’s recommended blocklist or a third-party tool to prevent known vulnerable drivers from loading. Update the list regularly as new vulnerabilities are disclosed.
  • Deploy EDR with behavioral detection: Traditional signature-based antivirus won’t catch BYOVD. Endpoint detection and response tools that monitor for abnormal kernel driver loading can flag the attack early.
  • Restrict driver installation: Configure Windows Group Policy to only allow signed drivers from approved publishers. This won’t stop the attack entirely, but it adds friction.
  • Implement the principle of least privilege: Limit administrative rights on endpoints. BYOVD attacks often require admin-level access to load the driver, so reducing the number of privileged users reduces the attack surface.
  • Use application control: Tools like Windows Defender Application Control (WDAC) can block unauthorized executables, including driver loaders, from running.

The Bigger Picture: Trust but Verify

The GodDamn ransomware campaign is a stark reminder that digital signatures are not a guarantee of safety. Attackers are increasingly weaponizing signed drivers, and the security community is playing catch-up. Microsoft has improved its driver submission process in recent years, but the sheer volume of signed drivers makes it impossible to vet every one for latent vulnerabilities.

For now, the best defense is a healthy dose of skepticism. Treat every kernel driver—signed or not—as a potential threat. Monitor for unusual driver loading, keep blocklists updated, and assume that a signed driver can be turned against you. The attackers certainly are.

Continue Reading

CyberSecurity

GitHub ‘Verified’ Commits Aren’t as Trustworthy as You Think — Here’s the Proof

Published

on

GitHub verified commits

The ‘Verified’ Badge You Trust May Be Fooling You

That little green “Verified” badge next to a GitHub commit? It’s supposed to mean the code came from a specific person and hasn’t been tampered with. New research shatters that assumption.

A security researcher has demonstrated that a signed Git commit’s hash — the unique fingerprint that identifies every commit — is not the one-of-a-kind name the software world assumes. Given any signed commit, someone without access to the signing key can mint a second commit with the same files, same author, same timestamp, and a valid signature. GitHub still stamps it “Verified.”

Everything a reviewer would check matches. The commit’s hash does not. And that matters a lot.

How the Attack Works: Colliding Commit Hashes

Git relies on SHA-1 hashes to uniquely identify each commit. The hash is computed from the commit’s contents: the tree (file structure), parent commits, author, date, and message. When you sign a commit with GPG or SSH, Git signs that hash.

Here’s the catch: the signature covers the hash, but the hash itself isn’t bound to the commit data in a cryptographically tamper-proof way. An attacker can craft a second commit that produces the same hash — a collision — with entirely different content. Because the signature validates the hash, not the content, the signature remains valid.

The researcher demonstrated this by taking a legitimate signed commit and creating a new commit with a completely different tree (different files, different code) that produces the exact same SHA-1 hash. The signature from the original commit still verifies. GitHub’s interface shows “Verified.” A human reviewing the commit sees a green checkmark and moves on.

What the Attacker Can (and Cannot) Do

This isn’t a theoretical paper exercise. The researcher published a working proof-of-concept tool. Here’s what the attack enables:

  • Swap code silently: An attacker can replace the files in a signed commit with malicious code while keeping the signature valid.
  • Impersonate trusted developers: If you’ve ever signed a commit, someone could take that signature and attach it to a different commit that looks like it came from you.
  • Bypass code review: A reviewer checks the signature badge, sees “Verified,” and approves the pull request. The actual code could be anything.

But there are limits. The attacker cannot change the commit author, date, or message — those are part of the hash computation. They can only swap the tree (the actual file contents). For many supply-chain attacks, that’s more than enough.

Why GitHub’s ‘Verified’ Badge Is Misleading

GitHub’s interface treats a valid signature as proof of integrity. The badge says “This commit was signed with a verified signature.” Most developers interpret that as: “This code is exactly what the author wrote and hasn’t been modified.”

That interpretation is wrong. The signature proves the hash is authentic. It does not prove the commit’s content matches what was signed. Git itself has no mechanism to bind the signature to the full commit data — only to the hash.

The researcher reported the issue to GitHub’s security team. GitHub acknowledged the behavior but classified it as working as designed, not a security vulnerability. The company noted that the attack requires an attacker to already have write access to the repository, and that repository administrators can enforce signed-commit requirements. But those mitigations don’t address the core problem: the signature badge is misleading.

What This Means for Software Supply Chain Security

This flaw matters most in automated supply-chain pipelines. Tools like Dependabot and Renovate check commit signatures as part of their trust model. A bot sees “Verified” and merges. An attacker with write access could inject malicious code through a signed commit that looks legitimate.

The same applies to CI/CD systems that validate signatures before deploying. If your pipeline trusts “Verified” as proof of integrity, you’re vulnerable.

How to Protect Yourself (Without Waiting for GitHub)

GitHub isn’t likely to change this behavior soon. In the meantime, here’s what you can do:

  • Don’t rely on the badge alone: Verify the actual commit content. Use git log --show-signature and compare the hash with the commit data.
  • Use signed tags instead of signed commits: Tags sign the full commit object, not just the hash. This attack doesn’t work against signed tags.
  • Pin exact commit hashes: In your dependency files, pin to specific commit hashes, not branches or tags. Verify the hash matches the expected content.
  • Audit your supply chain: Review which commits are signed and by whom. Look for commits with valid signatures but unexpected content.
  • Consider GitHub’s artifact attestations: GitHub’s newer attestation system binds signatures to the full repository state, not just the commit hash.

The green badge is convenient. It’s also a false sense of security. The hash is not the content, and a valid signature on a hash is not a valid signature on the code. Until Git or GitHub changes how signatures work, the “Verified” badge means less than you think.

Continue Reading

Trending